Risk assessment and management are required for cyber security in both the public and private sectors. The job of assessing information security has generally fallen to analysts specialized in computer system security. However, standards for risk assessment and management which have proved capable for handling standard engineering risk have typically not proved as useful in assessing the risk of human attack on an Information System (IS).
Generally, security analysts make a risk assessment by scoping the risk as a vulnerability or compliance control. They may use the assessment provided by a vulnerability scanning tool or use a standard for vulnerability scoring such as the Common Vulnerability Scoring System (CVSS). Alternately, they may subjectively assign a likelihood and consequence based on the knowledge and experience. These approaches general assess only one or a few conditions associated with the risk, limiting the assessment's accuracy.
As vulnerabilities can be thought of as likely conditions, controls thought of as conditions which limit likelihood, and consequences as conditions of significant negative impact, risk assessment should include all conditions which facilitate (increase likelihood), inhibit (decrease likelihood), or impact. In other words, a risk cannot simply be defined by a vulnerability, but must also include its context. As information security risk usually involves a human possessing free thought and will, a risk analysis also should include their actions or events in the risk context.